Is Snowflake the 'third-party cloud platform' caught up in massive AT&T data heist?
The customer of records of almost 110 million people have been stolen - and it's claimed that a familiar name may be at the centre of the story
The breach of an officially-unnamed "third-party cloud platform" has resulted in the leakage of a huge trove of data relating to "nearly all" AT&T cellular customers.
We spoke to an AT&T source who claimed this mysterious provider was, in fact, Snowflake, which has been hit by a number of data breaches blamed on customer security failures such as forgetting to switch on MFA. TechCrunch and other reliable news sites have also published their own allegations.
However, we have not yet been able to confirm these claims with Snowflake, so we're leaving this whodunnit unsolved until it makes a formal announcement to either confirm or deny the allegation. We have contacted Snowflake to ask if it was involved - or not - and will update this story if and when we hear back.
Speaking off the record, the AT&T source confirmed that 110 million was a good "ballpark" estimate of how many customers' records were stolen.
AT&T does not believe the data is publicly available and announced that it understands "at least one person has been apprehended."
What information was stolen in the AT&T data heist?
On April 19, 2024, the telecoms giant learned that a threat actor "claimed to have unlawfully accessed and copied AT&T call logs."
It "immediately activated" incident response processes, commissioning external cybersecurity experts to assist.
AT&T believes that the threat actors unlawfully accessed an AT&T workspace on that coyly-named "third-party cloud platform" and spent more than a week between April 14 and April 25, 2024 exfiltrating files containing AT&T records of customer call and text interactions.
"The data does not contain the content of calls or texts or personal information such as Social Security numbers, dates of birth, or other personally identifiable information," AT&T wrote.
However, it does contain records of calls and texts of "nearly all of AT&T’s wireless customers and customers of mobile virtual network operators (MVNO) using AT&T’s wireless network".
"These records identify the telephone numbers with which an AT&T or MVNO wireless number interacted during these periods, including telephone numbers of AT&T wireline customers and customers of other carriers, counts of those interactions, and aggregate call duration for a day or month," the telecoms firm continued.
While the data does not include customer names, AT&T admitted "there are often ways, using publicly available online tools, to find the name associated with a specific telephone number."
It added: "AT&T has taken additional cybersecurity measures in response to this incident including closing off the point of unlawful access. AT&T will provide notice to its current and former impacted customers."
How should organisations respond to AT&T data leak?
Infosec professionals advised businesses to look for obvious attacks such as phishing in the wake of the AT&T leak, as well as taking steps to secure their supply chain.
Christiaan Beek, Senior Director Threat Analytics at Rapid7, told The Stack: “The breach against AT&T is huge and will certainly worry any customer whose data has been leaked. Customers should exercise extreme caution and be on the lookout for any potential phishing attacks or other types of fraud. With the type of data stolen, SMS phishing could be particularly prevalent.
"An organisation is only as secure as its weakest third-party network, and security protocols are only effective if all of their third-party providers are equally secure.
"Cybercriminals are aware of this and will attempt to breach the weakest link in the chain to gain access to systems and steal highly sensitive data. The sheer amount of personal information stored means it’s even more important that supply chains are secured.
" To protect supply chains, organisations should maintain a good standard of cyber hygiene, including the enforcement of multi-factor authentication. Additionally, network perimeter devices are primary targets for attackers; therefore, critical vulnerabilities in these technologies need to be remediated immediately.”
Read more: Snowflake: CrowdStrike and Mandiant say we're clean
Sean Deuby, Principal Technologis at Semperis, warned that prominent telcos were being "caught up in this never-ending breach syndrome that impacts every organisation large and small."
"What is highly likely in all breaches is that the criminals will compromise an organisation’s identity system, such as Active Directory or Entra ID, the directory services developed by Microsoft that allows IT administrators to manage computers, devices, and employee accounts on a network," he said.
"The vast majority of attacks use these systems as a well-paved pathway to their target. This provides hackers with access to a treasure trove of personally identifiable information on employees, customers, business strategies and other sensitive information.
"Organisations need to have an assumed breach mindset because threat actors will eventually breach most of their targets if they’re persistent enough. It’s not just a risk; it’s a probability."
He suggested 'preparing in peacetime" by building a backup and recovery plan.
Mandiant has investigated the "threat campaign targeting Snowflake customer database instances with the intent of data theft and extortion."
Mandiant and Snowflake have notified approximately 165 potentially exposed organizations. Researchers attributed the breach to UNC5537, a "financially motivated threat actor suspected to have stolen a significant volume of records from Snowflake customer environments."
It blamed the compromises on three factors.
"The impacted accounts were not configured with multi-factor authentication enabled, meaning successful authentication only required a valid username and password," Mandiant wrote.
"Credentials identified in infostealer malware output were still valid, in some cases years after they were stolen, and had not been rotated or updated. The impacted Snowflake customer instances did not have network allow lists in place to only allow access from trusted locations."
We did ask AT&T whether it checked whether its MFA was on or off, but did not recieve a response.